Configuring Secure Websites with Mozilla Observatory

Online security is a concert for any website owner. News regularly breaks about massive data breaches, and the last thing any organization wants is to become the next example of an attack that exposed their customers’ information to people with malicious intent.

Making sure websites are secure can be a daunting task, especially if you aren’t completely up to date with the latest vulnerabilities such as POODLE or BEAST. Fortunately, we have several online tools that will be able to help us get started. However, these tools will only take us part of the way. Remember, no system is ever completely secure. Always take a “defense in layers” approach when securing your websites.

What is Mozilla Observatory?

Observatory is a tool that is geared towards informing website owners of best practices for securing their sites, covering everything from personal blogs to eCommerce.

The tool uses a scoring system to determine how vulnerable or how well implemented security is on your website. Here is an example of a site that did not implement any security:

As you can see, the tool performs several tests and scores each result with a Pass and a specific Score. Most scores can only reach as high as 0, but going the extra mile with tests like Content Security Policy, HTTP Public Key Pinning, and X-Frame-Options can result in additional points for implementing them with optional but better settings.

Each of these tests deserves a blog post of their own (stay tuned to our blog to learn more!), as each item covers a very different security setting that should be implemented. The way each item is configured varies depending on the web server you are running (IIS, Apache, NGINX, etc.).

The tool also scans and rates the implementation of TLS on the website. It will check the certificate information and cipher suites used. While Observatory’s TLS scan is not as robust as the Qualys SSL Labs SSL Server Test, it does integrate this test as a third party scanner, along with other tools.

After correctly configuring the security settings on your website, you will get a result similar to this:

As mentioned before, it is important to keep in mind that Mozilla Observatory will only be able to test a limited amount of best practices that go into making a site secure. Other items such as outdated software, SQL injection vulnerabilities, vulnerable CMS plugins, and weak passwords are just as important (or even more important) than the tests performed by this tool.

By utilizing tools like Mozilla Observatory, you can gain some level of assurance that your site’s information is safe, but it’s important to ensure that you are regularly monitoring your security and keeping your systems up to date to address any new concerns that arise. If you have any questions about how to ensure that your site is secure, please contact us, and we’ll work with you to address any issues that you might have. Do you have any questions or security tips of your own? Please feel free to share them in the comments below. We’d love to hear from you!

About the Author

Ricardo Herrera

When Ricardo Herrera worked at WSOL, he maintained the servers in our data centers, performing regular backups and discovering and resolving any potential issues before they become problems that affect any of the websites that we host for our clients. He has a Cisco Networking CCNA Certification, and he is passionate about keeping up with the latest developments in computer science and networking.
Ricardo enjoys digital and film photography. His personal photo blog can be found at http://ricardoherreraphoto.tumblr.com.